Meanwhile I found the important statement in the docu: "In NSEC3 opt-out
mode (the only NSEC3 mode PowerDNS currently supports) ....".
Are there any plans to support NSEC3 without opt-out?
Further, I wonder why and how Powerdns synthesis the NSEC3 records on
the fly? In our setup PDNS is a secondary, the signing happens on the
master. Thus, PDNS receives the zone with AXFR, including the NSEC3
records and the corresponding RRSIG records. Then, PDNS ignores all the
NSEC3 records and synthesis them newly. Therefore there is great chance
that the original signature does not work anymore, and that's also the
reason why a zone without opt-out gets broken by PDNS.
regards
Klaus
On 27.03.2013 18:06, Klaus Darilion wrote:
Hi!
We have a setup with Powerdns between a bind master and bind
secondaries. The master signs the zone without "opt-out". Thus, the
NSEC3 records in the zone transfer from master->PDNS haev the NSEC3 flag
set to 0. When the bind secondaries transfer the zone from PDNS, the
NSEC3 records all have the NSEC3 flag set to 1 (opt-out). Of course this
breaks the signature of the NSEC3 RR.
Is this a known issue? Is there a config option to fix this?
Thanks
Klaus
_______________________________________________
Pdns-users mailing list
[email protected]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________
Pdns-users mailing list
[email protected]
http://mailman.powerdns.com/mailman/listinfo/pdns-users
